Ch.

9 – VLANs (Virtual LANs)

CCNA 3 version 3.0

.
Overview

• We will not cover all of the slides in this presentation, as we have

covered much of this in previous presentations.

• Define VLANs
• List the benefits of VLANs
• Explain how VLANs are used to create broadcast domains
• Explain how routers are used for communication between VLANs
• List the common VLAN types
• Define ISL and 802.1Q
• Explain the concept of geographic VLANs
• Configure static VLANs on 29xx series Catalyst switches
• Verify and save VLAN configurations
• Delete VLANs from a switch configuration

Rick Graziani graziani@cabrillo.edu 2

.
VLAN introduction

• VLANs provide segmentation based on broadcast domains.

• VLANs logically segment switched networks based on the functions,
project teams, or applications of the organization regardless of the
physical location or connections to the network.
• All workstations and servers used by a particular workgroup share the
same VLAN, regardless of the physical connection or location.

Rick Graziani graziani@cabrillo.edu 3

.
VLAN introduction

• VLANs are created to provide segmentation services traditionally

provided by physical routers in LAN configurations.
• VLANs address scalability, security, and network management.
Routers in VLAN topologies provide broadcast filtering, security, and
traffic flow management.
• Switches may not bridge any traffic between VLANs, as this would
violate the integrity of the VLAN broadcast domain.
• Traffic should only be routed between VLANs.

Rick Graziani graziani@cabrillo.edu 4

.
Broadcast domains with VLANs and routers

• A VLAN is a broadcast domain created by one or more switches.

• The network design above creates three separate broadcast
domains.
Rick Graziani graziani@cabrillo.edu 5
Broadcast domains with VLANs and routers
10.0.0.0/8 2) With or 10.1.0.0/16
1) Without
VLANs without
VLANs
10.2.0.0/16

10.3.0.0/16

• 1) No VLANs, or in other words, One One link per VLAN or a single VLAN
VLAN. Single IP network. Trunk (later) 10.1.0.0/16
• 2) With or without VLANs. However this 1) With
can be and example of no VLANS. In both
VLANs
examples, each group (switch) is on a
10.2.0.0/16
different IP network.
• 3) Using VLANs. Switch is configured with
the ports on the appropriate VLAN.
• What are the broadcast domains in each? 10.3.0.0/16

Rick Graziani graziani@cabrillo.edu 6

.
VLAN operation

• Each switch port can be assigned to a different VLAN.

• Ports assigned to the same VLAN share broadcasts.
• Ports that do not belong to that VLAN do not share these broadcasts.
Rick Graziani graziani@cabrillo.edu 7
.
VLAN operation

• Static membership VLANs are called port-based and port-centric

membership VLANs.
• As a device enters the network, it automatically assumes the VLAN
membership of the port to which it is attached.
• “The default VLAN for every port in the switch is the management
VLAN. The management VLAN is always VLAN 1 and may not be
deleted.”
– This statement does not give the whole story. We will examine
Management, Default and other VLANs at the end.
• All other ports on the switch may be reassigned to alternate VLANs.
• More on VLAN 1 later.

Rick Graziani graziani@cabrillo.edu 8

. VLAN
operation Switch 1
172.30.1.21
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2

172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
1 2 3 4 5 6 . Port VLAN 2 VLAN 1
1 2 1 2 2 1 . VLAN

Two VLANs
Ÿ Two Subnets
Important notes on VLANs:
1. VLANs are assigned on the switch port. There is no “VLAN”
assignment done on the host (usually).
2. In order for a host to be a part of that VLAN, it must be assigned an IP
address that belongs to the proper subnet.
Remember: VLAN = Subnet

Rick Graziani graziani@cabrillo.edu 9

.
VLAN operation

• Dynamic membership VLANs are created through network

management software. (Not as common as static VLANs)
• CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to
create Dynamic VLANs.
• Dynamic VLANs allow for membership based on the MAC address of
the device connected to the switch port.
• As a device enters the network, it queries a database within the switch
for a VLAN membership.

Rick Graziani graziani@cabrillo.edu 10

Benefits of VLANs

If a hub is connected to VLAN port on

a switch, all devices on that hub must
belong to the same VLAN.

• The key benefit of VLANs is that they permit the network administrator
to organize the LAN logically instead of physically.
• Note: Can be done without VLANs, but VLANs limit the broadcast
domains
• This means that an administrator is able to do all of the following:
– Easily move workstations on the LAN.
– Easily add workstations to the LAN.
– Easily change the LAN configuration.
– Easily control network traffic.
– Improve
Rick Graziani security.
graziani@cabrillo.edu 11
 Without VLANs – No Broadcast Control

ARP Request

172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0

172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
No VLANs
Ÿ Same as a single VLAN
Ÿ Two Subnets

• Without VLANs, the ARP Request would be seen by all hosts.

• Again, consuming unnecessary network bandwidth and host processing
cycles.

Rick Graziani graziani@cabrillo.edu 12

With VLANs – Broadcast Control
Switch Port: VLAN ID
ARP Request

172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2

172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
VLAN 2 VLAN 1 1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN

Two VLANs
Ÿ Two Subnets

Rick Graziani graziani@cabrillo.edu 13

VLAN Types

Rick Graziani graziani@cabrillo.edu 14

.
MAC address Based VLANs

• Rarely implemented.
Rick Graziani graziani@cabrillo.edu 15
.
VLAN Tagging

• VLAN Tagging is used when a link needs to carry traffic for more than
one VLAN.
– Trunk link: As packets are received by the switch from any attached
end-station device, a unique packet identifier is added within each
header.
• This header information designates the VLAN membership of each
packet.
• The packet is then forwarded to the appropriate switches or routers based
on the VLAN identifier and MAC address.
• Upon reaching the destination node (Switch) the VLAN ID is removed from
the packet by the adjacent switch and forwarded to the attached device.
• Packet tagging provides a mechanism for controlling the flow of broadcasts
and applications while not interfering with the network and applications.
Rick Graziani graziani@cabrillo.edu 16
.
VLAN Tagging

No VLAN Tagging

VLAN Tagging

• VLAN Tagging is used when a single link needs to carry

traffic for more than one VLAN.

Rick Graziani graziani@cabrillo.edu 17

.
VLAN Tagging

802.10

• There are two major methods of frame tagging, Cisco proprietary Inter-
Switch Link (ISL) and IEEE 802.1Q.
• ISL used to be the most common, but is now being replaced by 802.1Q
frame tagging.
• Cisco recommends using 802.1Q.
• VLAN Tagging and Trunking will be discussed in the next chapter.
Rick Graziani graziani@cabrillo.edu 18
.
Two Types of VLANs

• End-to-End or Campus-wide VLANs

• Geographic or Local VLANs

Rick Graziani graziani@cabrillo.edu 19

.
End-to-End or Campus-wide VLANs

Rick Graziani graziani@cabrillo.edu 20

.
Geographic or Local VLANs

Rick Graziani graziani@cabrillo.edu 21

.
End-to-End or Campus-wide VLANs

• End-to-End or Campus-wide VLANs

– Same VLAN/Subnet no matter what the location is on the network
– Trunking at the Core
– Usually not recommended by Cisco or other Vendors
– Adds complexity to network administration
– Does not resolve Layer 2 Spanning Tree issues
– Use to be recommended with routing at the Core was considered to
slow.
Rick Graziani graziani@cabrillo.edu 22
.
End-to-End or Campus-wide VLANs

• The core layer router is being used to route between subnets (VLANs).
• The network is engineered, based on traffic flow patterns, to have
80 percent of the traffic contained within a VLAN.
• The remaining 20 percent crosses the router to the enterprise servers
and to the Internet and WAN.
• Note: This is known as the 80/20 rule. With today’s traffic
patterns, this rule is becoming obsolete.

Rick Graziani graziani@cabrillo.edu 23

.
Geographic or Local VLANs

• Geographic or Local VLANs

– More common
– Routing at the core
– Different VLAN/Subnet depending upon location

Rick Graziani graziani@cabrillo.edu 24

Geographic or Local VLANs

• As many corporate networks have moved to centralize their resources,

end-to-end VLANs have become more difficult to maintain.
• Users are required to use many different resources, many of which are
no longer in their VLAN.
• Because of this shift in placement and usage of resources, VLANs are
now more frequently being created around geographic boundaries
rather than commonality boundaries.

Rick Graziani graziani@cabrillo.edu 25

.
Geographic or Local VLANs

• This geographic location can be as large as an entire building or as

small as a single switch inside a wiring closet.
• In a VLAN structure, it is typical to find the new 20/80 rule in
effect. 80 percent of the traffic is remote to the user and 20
percent of the traffic is local to the user.
• Although this topology means that the user must cross a Layer 3
device in order to reach 80 percent of the resources, this design allows
the network to provide for a deterministic, consistent method of
accessing resources.
Rick Graziani graziani@cabrillo.edu 26
.
Configuring static VLANs

• The following guidelines must be followed when configuring VLANs on

Cisco 29xx switches:
– The maximum number of VLANs is switch dependent.
• 29xx switches commonly allow 4,095 VLANs
– VLAN 1 is one of the factory-default VLANs.
– VLAN 1 is the default Ethernet VLAN.
– Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol
(VTP) advertisements are sent on VLAN 1.
– The Catalyst 29xx IP address is in the VLAN 1 broadcast domain
by default.
– “The switch must be in VTP server mode to create, add, or delete
VLANs.” (This is not true. Switch could be in VTP Transparent
mode. VTP will be discussed in a moment.)
Rick Graziani graziani@cabrillo.edu 27
.
Creating VLANs

• Assigning access ports (non-trunk ports) to a specific VLAN

Switch(config)#interface fastethernet 0/9
Switch(config-if)#switchport access vlan vlan_number

• Create the VLAN: (This step is not required and will be discussed
later.)
Switch#vlan database
Switch(vlan)#vlan vlan_number
Switch(vlan)#exit
Rick Graziani graziani@cabrillo.edu 28
.
Creating VLANs

Default vlan Default

vlan 1 10 vlan 1
• Assign ports to the VLAN
Switch(config)#interface fastethernet 0/9
Switch(config-if)#switchport access vlan 10

• access – Denotes this port as an access port and not a trunk link (later)

Rick Graziani graziani@cabrillo.edu 29

.
Creating VLANs

Default vlan Default

vlan 1 300 vlan 1

Rick Graziani graziani@cabrillo.edu 30

.
Configuring Ranges of VLANs

vlan 2

SydneySwitch(config)#interface fastethernet 0/5

SydneySwitch(config-if)#switchport access vlan 2
SydneySwitch(config-if)#exit
SydneySwitch(config)#interface fastethernet 0/6
SydneySwitch(config-if)#switchport access vlan 2
SydneySwitch(config-if)#exit
SydneySwitch(config)#interface fastethernet 0/7
SydneySwitch(config-if)#switchport access vlan 2

Rick Graziani graziani@cabrillo.edu 31

.
Configuring Ranges of VLANs

vlan 3

SydneySwitch(config)#interface range fastethernet 0/8,

fastethernet 0/12
SydneySwitch(config-if)#switchport access vlan 3
SydneySwitch(config-if)#exit

This command does not work on all 2900 switches, such as the 2900
Series XL. It does work on the 2950.

Rick Graziani graziani@cabrillo.edu 32

.
Creating VLANs

Default vlan Default

vlan 1 300 vlan 1
SydneySwitch(config)#interface fastethernet 0/1
SydneySwitch(config-if)#switchport mode access
SydneySwitch(config-if)#exit

Note: The switchport mode access command should be configured

on all ports that the network administrator does not want to become a
trunk port.
• This will be discussed in more in the next chapter, section on DTP.

Rick Graziani graziani@cabrillo.edu 33

.
Creating VLANs

This link will become a trunking link unless one of the

Default: dynamic desirable ports is configured with as an access link, I.e.
switchport mode access

• By default, all ports are configured as switchport mode dynamic

desirable, which means that if the port is connected to another switch with
an port configured with the same default mode (or desirable or auto), this link
will become a trunking link. (See my article on DTP on my web site for more
information.)
• When the switchport access vlan command is used, the switchport
mode access command is not necessary since the switchport access
vlan command configures the interface as an “access” port (non-trunk port).
• This will be discussed in more in the next chapter, section on DTP.
Rick Graziani graziani@cabrillo.edu 34
.
Verifying VLANs – show vlan

vlan 1 vlan 2 vlan 3

default

Rick Graziani graziani@cabrillo.edu 35

.
Verifying VLANs – show vlan brief

vlan 1 vlan 2 vlan 3

default

Rick Graziani graziani@cabrillo.edu 36

.
vlan database commands

• Optional Command to add, delete, or modify VLANs.

• VLAN names, numbers, and VTP (VLAN Trunking Protocol)
information can be entered which “may” affect other switches besides
this one. (Discussed later).
• This does not assign any VLANs to an interface.

Switch#vlan database
Switch(vlan)#?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit Apply changes, bump revision number, and exit mode
no Negate a command or set its defaults
reset Abandon current changes and reread current database
show Show database information
vlan Add, delete, or modify values associated with a single VLAN
vtp Perform VTP administrative functions.

Rick Graziani graziani@cabrillo.edu 37

.
Deleting VLANs

Switch(config-if)#no switchport access vlan vlan_number

Rick Graziani graziani@cabrillo.edu 38

Ch. 8 – VLANs (Virtual LANs)

CCNA 3 version 3.0

Rick Graziani
Cabrillo College